I wanted to point them to a canonical resource on the ins and outs of securely implementing a reset function. Problem is though, there isn’t one, at least not covering everything I believe is important. So here it is.
Troy’s article is comprehensive and covers most of the important aspects of password resets.
Even though resets aren’t difficult, they’re often implemented poorly.
While there are many sites that implement password resets insecurely, please don’t be one of them. Read the post and adopt the best practices; respect your user’s trust.